Backup Encryption and GDPR in 2026: Why Unencrypted Backups Are the Most Expensive Compliance Failure

Quick Answer: GDPR Article 32 explicitly names encryption as a security measure for personal data. Unencrypted backups have caused multiple GDPR fines, including a €3 million penalty against Allium UPI in Estonia (2024) where improperly secured database backups exposed 750,000 individuals’ data. NIS2 Article 21(2)(h) mandates cryptography. ISO 27001 Annex A 8.24 requires cryptographic controls. AES-256 backup encryption with proper key management satisfies all three frameworks simultaneously. Setup cost: €139 fixed price at Optimum Web. Time: 5 business days.

Your database is encrypted. Your API uses HTTPS. Your login page has MFA. Your security posture looks solid.

But where do your backups go every night?

If the answer involves an unencrypted file sitting on a backup server, an S3 bucket without server-side encryption, or a database dump transferred over the network without TLS — you have a compliance gap that regulators have fined companies millions for.

Backup encryption is the single easiest compliance win in cybersecurity: one fix, three frameworks satisfied (GDPR, NIS2, ISO 27001), €139, and your auditor stops asking uncomfortable questions.

Yet an astonishing number of companies still run unencrypted backups. This article explains why that’s dangerous, what regulators require, what happens when things go wrong, and how to fix it in 5 business days.

In 2024, Estonia’s Data Protection Inspectorate fined Allium UPI OÜ €3 million after a data breach compromised the personal information of 750,000 individuals. The breach exposed health-related purchase data and contact details from the Apotheka loyalty program.

Among the specific failures cited by the regulator: the company “failed to implement even basic cyber hygiene measures” — and one of the explicitly mentioned failures was improperly secured database backups.

This wasn’t a sophisticated attack. It wasn’t a zero-day exploit or an APT campaign. It was basic hygiene: backups that should have been encrypted weren’t. And the price was €3 million plus the reputational damage of exposing 750,000 people’s pharmacy purchases.

Allium UPI is not an outlier. It’s a pattern.

Most companies focus security efforts on the production environment: firewalls, encryption in transit, access controls, monitoring. The production database is encrypted at rest. The API enforces HTTPS. Everything looks secure.

But backups create a shadow copy of all that data — often with weaker protections:

Article 32(1)(a) of the GDPR states: *The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data.*

This is one of the few places in the GDPR where a specific technical measure is named explicitly. The regulation generally avoids prescribing technologies — but encryption is called out by name.

What this means for backups:

Article 32(1)(d) requires a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.

What this means: You must not only encrypt backups — you must verify that:

Article 34(3)(a) states that individual notification after a breach is not required if the controller has implemented appropriate technical protection measures that render the personal data unintelligible to any person who is not authorised to access it — such as encryption.

This is critical: If your data is breached but the backups were encrypted with AES-256 and the encryption keys were not compromised — you may not need to notify the 750,000 affected individuals. This alone saves hundreds of thousands of euros in notification costs, legal fees, and reputational damage.

Encryption doesn’t prevent the breach. But it prevents the breach from becoming a catastrophe.

NIS2 Article 21(2)(h) explicitly mandates: *Policies and procedures regarding the use of cryptography and, where appropriate, encryption.* For essential and important entities in the EU, NIS2 doesn’t just say “encrypt your data.” It requires documented policies covering backup encryption, which encryption algorithms are used (AES-256), key management procedures, and evidence that the policy is implemented. Penalty: up to €10 million or 2% of global annual turnover for essential entities.

ISO 27001:2022 Annex A 8.24 requires: *Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.* If your auditor finds unencrypted backups containing personal or sensitive data, this is a nonconformity against A.8.24 — potentially a major nonconformity that can block certification.

ISO 27001 Annex A 8.13 additionally requires encrypted, tested, documented backups: A.8.13 says you must have backups. A.8.24 says you must encrypt them. Together they create a clear obligation.

SOC 2 Trust Service Criteria CC6.1 addresses the encryption of data in storage and in transit. For SOC 2 Type II audits, the auditor expects:

Backup encryption has two components. Both are required for compliance.

The backup file stored on disk or in cloud storage must be encrypted so that anyone who accesses the file without the decryption key sees only random data.

Standard: AES-256 (Advanced Encryption Standard, 256-bit key). This is the gold standard — used by governments, military, and financial institutions worldwide. There is no known practical attack against AES-256.

Implementation options:

When backups are transferred from the source to the backup destination, the network connection must be encrypted.

Standard: TLS 1.3 (or minimum TLS 1.2). Older protocols (SSL, TLS 1.0, TLS 1.1) are deprecated and should not be used.

Implementation:

Encryption is only as strong as the key management. If the encryption key is stored next to the encrypted backup — it’s equivalent to locking a door and taping the key to the doorframe.

Best practices:

Our Backup Encryption Setup service covers everything described above:

The ratio: €139 vs €3,000,000+. This is not a difficult decision.

“Our cloud provider encrypts everything by default” — Not always. AWS S3 buckets created before January 2023 do not have default encryption. Google Cloud Storage requires explicit configuration for customer-managed keys. Even with default encryption, you still need to verify it’s enabled, document it, and ensure key management meets compliance standards.

“Encryption will slow down our backups” — AES-256 with hardware acceleration (AES-NI, available on all modern CPUs since 2010) adds less than 5% overhead to backup time. A backup that takes 10 minutes will take 10 minutes and 30 seconds.

“We’ll set it up ourselves when we have time” — Every day without encrypted backups is a day of non-compliance. The Allium UPI fine was €3 million specifically because basic measures like backup encryption were not implemented despite being known requirements.

“Nobody will steal our backups” — The Verizon 2025 DBIR reports that 22% of breaches involve stolen credentials. An attacker with server access can download your unencrypted backup file in minutes and have a complete copy of every record in your database.

Backup encryption is one piece of a larger backup compliance strategy:

Start with Backup Encryption (€139) if you need the fastest compliance win. Expand to GDPR-Compliant Backup (€449) if you need a complete backup overhaul.

Every night, your backup job creates an unencrypted copy of your entire database and puts it somewhere. That “somewhere” is either encrypted and properly managed — or it’s a compliance violation and a breach waiting to happen.

€139 and 5 business days. That’s all it takes to close this gap across GDPR, NIS2, ISO 27001, and SOC 2 simultaneously.